CVE-2018-25397— PHP-SHOP 1.0 Cross-Site Request Forgery via users.php

PHP-SHOP 1.0 Cross-Site Request Forgery via users.php

PHP-SHOP 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to add administrative users by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting a page containing a hidden form that automatically submits POST requests to the users.php endpoint with parameters like name, email, password, and permissions set to admin to create unauthorized admin accounts.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

跨站请求伪造(CSRF)

PHP-SHOP 跨站请求伪造漏洞

PHP-SHOP是joeyrush个人开发者的一个基于PHP的在线商城系统。 PHP-SHOP 1.0版本存在跨站请求伪造漏洞，该漏洞源于未验证请求来源，可能导致未经身份验证的攻击者通过特制HTML表单添加管理用户。

N/A

N/A